Researchers discover critical vulnerabilities in Ferrari, BMW, Toyota, and other automotive giants


Security researchers, including Web application security researcher Sam Curry, discovered severe vulnerabilities in Ferrari, BMW, Toyota, Ford, and other automotive companies.

The disclosed vulnerabilities varied based on the manufacturer and their specifics. The researchers found the full compromise of an undisclosed system used by AT&T. It could potentially allow a threat actor to send and receive text messages, retrieve live geolocation, and disable hundreds of millions of SIM cards installed in Tesla, Subaru, Toyota, and Mazda vehicles, among others.

“The impact of this vulnerability went far beyond the scope of car hacking and affected nearly every industry (nearly anything which uses a SIM card),” researchers add.

ADVERTISEMENT

North America’s largest device-independent telematics company Spireon also found itself under the spotlight. Its discovered vulnerabilities included remote code execution on core systems for managing 1.2 million user accounts; full administrator access to a company-wide administration panel allowing to send arbitrary commands to an estimated 15.5 million vehicles and navigate location; the ability to fully take over any vehicle, including police and ambulances.

Mercedes-Benz’s vulnerabilities also included remote code execution on multiple systems, as well as improperly configured single sign-on (SSO) – a method for authenticating users – that provided access to many mission-critical internal applications, and memory leaks that could lead to account access.

BMW and Rolls Royce, owned by the BMW Group, also had core SSO vulnerabilities, allowing researchers to access any employee application on their behalf.

Ferrari was also observed lacking access control allowing an attacker to manage employee “back office” administrator user accounts and having vulnerabilities, which could lead to threat actors potentially accessing all Ferrari customer records or taking over any Ferrari customer account.

According to the researchers, Toyota Financial’s Insecure direct object references (IDOR) – a vulnerability that arises from broken access control in web applications – discloses the name, phone number, email address, and loan status of any Toyota financial customers.

Ford was observed having the potential customer account takeover via improper URL parsing, and full memory disclosure on production vehicle Telematics API discloses.

Other giants with discovered vulnerabilities included SiriusXM, Reviver, Jaguar, Porsche, Land Rover, Hyundai, Genesis, Kia, Honda, Infiniti, Nissan, and Acura.

ADVERTISEMENT